[keycloak-user] Speed up token generation by HMAC or EC-signing

Marek Posolda mposolda at redhat.com
Tue May 30 10:53:18 EDT 2017


We have JIRA for elliptic curves, but didn't yet came into it.

For signing tokens by HMAC, there is no plan for it AFAIK. It is not 
great to sign accessTokens and idTokens by HMAC anyway since the 
applications will need to have access to realm signing key. As it is 
symmetric stuff. This can be security hole as then the application can 
generate and sign tokens by itself. Hence we rather rely on the 
asymetric cryptography - Keycloak signs tokens with private key and 
application has just public key to verify signatures.

We just have JIRA for support HMAC signed refresh tokens - this is ok as 
those refresh tokens are just opaque string for the the application. 
Application doesn't need to verify signatures on them.

Marek

On 30/05/17 14:34, Matuszak, Eduard wrote:
> Hello
>
> Since version 2.5 it is possible to choose other signing mechanism than RSA in the realm-administration. To enhance performance, I tried out to induce keycloak to use HMAC for token signing, but it seems, that this does not work: HMAC is ignored despite the priority settings and login will even fail, if HMAC key is the only active/enabled key. It would be nice (and esssential for our purposes for performance issues) to be able to change the signature algorithms and if elliptic curves would be provided as a fast asymmetric alternative to RSA as well. Is this projected for a near-future version?
>
> Best regards, Eduard Matuszak
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list